Problem in mod_ssl 2.8.10 + Apache 1.3.26/WIn32 ?

Problem in mod_ssl 2.8.10 + Apache 1.3.26/WIn32 ?

am 15.10.2002 17:13:35 von Sergey Strakhov

This is a multi-part message in MIME format.
--------------2BB4DD66E84461DD37F29238
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit

Hello,

We are experiencing problems with our Win32 Apache 1.3.26 with mod_ssl
2.8.10 + openssl 0.9.6b running on Windows 2000.
It is a sort of DoS attacks that make our web site totally inaccessible.

One of those attacks was captured with Ethereal. The dump is attached.

As you can see, the attack is accomplished through both HTTP (80) and
HTTPS (443) ports.
First, the connection is opened to the HTTP port, then it is opened to
the HTTPS port.
Then a malformed HTTP/1.1 GET request (with no Host: header) is sent to
the HTTP port.
Then both connections are closed without waiting for the response from
the web server.
As a result, the web site stops responding on both HTTP and HTTPS ports.

The error log usually contains records like:

[..time..] [error] [client ..] client sent HTTP/1.1 request without
hostname (see RFC2616 section 14.23): /
[..time..] [error] Server ran out of threads to serve requests. Consider
raising the ThreadsPerChild setting

Is this problem related to mod_ssl anyhow?
Will an upgrade to Apache 1.3.27 + mod_ssl 2.8.11 + openssl 0.9.6g solve
the problem?

Regards


--------------2BB4DD66E84461DD37F29238
Content-Type: application/octet-stream;
name="attack.tcpdump"
Content-Disposition: attachment;
filename="attack.tcpdump"
Content-Transfer-Encoding: base64

1MOyoQIABAAAAAAAAAAAAP//AAABAAAANuehPSP3CgBKAAAASgAAAABQutaB 6gDAAjaDAAgA
RQAAPNR3AAAwBghEP8Wtf8CoABQEWAG7wdT/kgAAAACgAhbQfZMAAAIEBSoE AggKEs0r5QAA
AAABAwMANuehPTz7CgBOAAAATgAAAADAAjaDAABQutaB6ggARQAAQI5IQACA Br5uwKgAFD/F
rX8BuwRYZlHzHcHU/5OwEkMiI+MAAAIEBbQBAwMAAQEICgAAAAAAAAAAAQEE AjjnoT32BgIA
QgAAAEIAAAAAULrWgeoAwAI2gwAIAEUAADTUeAAAMAYISz/FrX/AqAAUBFgB u8HU/5NmUfMe
gBAW0FHhAAABAQgKEs0sUgAAAAA556E9UPAAAEoAAABKAAAAAFC61oHqAMAC NoMACABFAAA8
SJkAADAGlCI/xa1/wKgAFAUWAFDCDWRoAAAAAKACFtAYJgAAAgQFKgQCCAoS zSzxAAAAAAED
AwA556E9B/EAAE4AAABOAAAAAMACNoMAAFC61oHqCABFAABAjklAAIAGvm3A qAAUP8WtfwBQ
BRZmW6Ohwg1kabASQyIO9AAAAgQFtAEDAwABAQgKAAAAAAAAAAABAQQCOeeh PUfGCQBCAAAA
QgAAAABQutaB6gDAAjaDAAgARQAANEiaAAAwBpQpP8Wtf8CoABQFFgBQwg1k aWZbo6KAEBbQ
PAcAAAEBCAoSzS09AAAAADnnoT178QkAVAAAAFQAAAAAULrWgeoAwAI2gwAI AEUAAEZImwAA
MAaUFj/FrX/AqAAUBRYAUMINZGlmW6OigBgW0F1MAAABAQgKEs0tPQAAAABH RVQgLyBIVFRQ
LzEuMQ0KDQo556E9PMcLAEIAAABCAAAAAMACNoMAAFC61oHqCABFAAA0jkpA AIAGvnjAqAAU
P8WtfwBQBRZmW6Oiwg1ke4AQQxCt7AAAAQEICgBfYWkSzS09SeehPW1uAABC AAAAQgAAAABQ
utaB6gDAAjaDAAgARQAANEicAAAwBpQnP8Wtf8CoABQFFgBQwg1ke2Zbo6KA ERbQ1E8AAAEB
CAoSzTMZAF9haUnnoT3TbgAAQgAAAEIAAAAAwAI2gwAAULrWgeoIAEUAADSO S0AAgAa+d8Co
ABQ/xa1/AFAFFmZbo6LCDWR8gBBDEKd3AAABAQgKAF9iARLNMxlJ56E9FYoA AEIAAABCAAAA
AFC61oHqAMACNoMACABFAAA01HkAADAGCEo/xa1/wKgAFARYAbvB1P+TZlHz HoARFtBLGQAA
AQEIChLNMxkAAAAASeehPXWKAABCAAAAQgAAAADAAjaDAABQutaB6ggARQAA NI5MQACABr52
wKgAFD/FrX8BuwRYZlHzHsHU/5SAEEMivGYAAAEBCAoAX2IBEs0zGQ==
--------------2BB4DD66E84461DD37F29238--

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Problem in mod_ssl 2.8.10 + Apache 1.3.26/WIn32 ?

am 15.10.2002 17:27:50 von nyh

On Tue, Oct 15, 2002, Sergey Strakhov wrote about "Problem in mod_ssl 2.8.10 + Apache 1.3.26/WIn32 ?":
> We are experiencing problems with our Win32 Apache 1.3.26 with mod_ssl
> 2.8.10 + openssl 0.9.6b running on Windows 2000.
> It is a sort of DoS attacks that make our web site totally inaccessible.

From your description it sounds like this is the worm described in:

http://www.cert.org/advisories/CA-2002-27.html

However, to the best of my knowledge, this worm cannot infect your Windows -
it will only kill your sever.

> Will an upgrade to Apache 1.3.27 + mod_ssl 2.8.11 + openssl 0.9.6g solve
> the problem?

Yes, I think it will.


--
Nadav Har'El | Tuesday, Oct 15 2002, 9 Heshvan 5763
nyh@math.technion.ac.il |-----------------------------------------
Phone: +972-53-245868, ICQ 13349191 |Tact is the art of making a point without
http://nadav.harel.org.il |making an enemy.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Problem in mod_ssl 2.8.10 + Apache 1.3.26/WIn32 ?

am 29.10.2002 18:25:47 von Sergey Strakhov

> On Tue, Oct 15, 2002, Sergey Strakhov wrote about "Problem in mod_ssl 2.8.10 + Apache 1.3.26/WIn32 ?":
> > We are experiencing problems with our Win32 Apache 1.3.26 with mod_ssl
> > 2.8.10 + openssl 0.9.6b running on Windows 2000.
> > It is a sort of DoS attacks that make our web site totally inaccessible.
>
> >From your description it sounds like this is the worm described in:
>
> http://www.cert.org/advisories/CA-2002-27.html
>
> However, to the best of my knowledge, this worm cannot infect your Windows -
> it will only kill your sever.

Not exactly... It looks more like a Cross-Site-Scripting bug...


> > Will an upgrade to Apache 1.3.27 + mod_ssl 2.8.11 + openssl 0.9.6g solve
> > the problem?
>
> Yes, I think it will.

Version 2.8.11 did not help. But 2.8.12 probably should.



____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org